W32/Tariprox-B

Please follow the instructions for removing worms.

Please follow the instructions for removing worms.

Delete the HOSTS file or replace it from a backup or original media.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\mmoplib = <Windows>\MMOPLIB.EXE

and delete it if it exists.

Close the registry editor.

W32/Tariprox-B is a proxy worm which attaches itself to out-going emails.

The worm will arrive as an email attachment called <username>.doc.pif, where <username> is the name of the email recipient.

When run, it copies itself to the Windows directory as MMOPLIB.EXE and creates the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\
Run\mmoplib = <Windows>\MMOPLIB.EXE

so that the worm is run automatically each time the machine is restarted. It also replaces/creates the HOSTS file, which maps machine names to IP addresses.

The HOSTS file is used by various network-related programs, such as Outlook and Outlook Express, in order to quickly resolve machine IP addresses (rather than having to query the DNS database).

In order to work on both Windows 95/98/Me and Windows NT/2000/XP computers, the worm will try to create or replace the file HOSTS or HOSTS.bak in the Windows and Winnt\System32\drivers\etc\ directories.

The existing HOSTS file may be named HOSTS.sam (the default for Windows 95/Windows 98) in which case it will remain unchanged. However, the version created by the worm (without an extension) will be used in preference.

The worm creates an entry in the new HOSTS file which maps the default SMTP server to the loop-back address 127.0.0.1.

The worm then runs in the background waiting to accept a connection on port 25 (the SMTP port).

When the user tries to send an email, the email client program (such as Outlook or Outlook Express) tries to establish a connection to the SMTP server on port 25, but mistakenly uses the address 127.0.0.1 and so actually connects to the worm.

The worm establishes a connection to the real SMTP server (on port 25) and acts as a go-between, sending its own data at the appropriate moment.

The worm avoids repeatedly sending itself to the same person by keeping a list of the 5 most recent recipients in the following registry key:

HKLM\Software\Microsoft\Media Optimization library\MRU =
NULL, NULL, recipient3, recipient2, recipient1.

It does not attach itself to emails destined for these people.

On some networks the same machine acts as both the outgoing and incoming mail server. If this is the case, when an email client attempts to connect to the server to download email, the worm accepts the connection but doesn't pass on responses if they're not related to sending email. This may prevent the user from downloading new emails.

Any other programs that use the HOSTS file to resolve IP addresses (such as Telnet) will also be unable to establish a connection to the machine acting as the default SMTP server, because they will attempt to connect to 127.0.0.1.

On many network configurations however, there will be one machine to handle SMTP and one to handle POP3 (or IMAP, DSMP etc.). On these networks the worm will function as intended.

The worm was designed primarily to work with Outlook Express and so may not work properly with other MAPI client programs.

W32/Tariprox-B is a Windows PE executable and has a size of 40,960 bytes. UPX packed versions also exist, which have a size of approximately 21KB. Both versions are detected by this identity.

The worm contains the text: 'W32.Taricone-B.worm@proxy by I.V.E.L.'.